Lemmy Security Advisory for Versions < `0.19.1`: Private message details leak.
submitted 10 months ago by Dessalines@lemmy.ml
github.com/LemmyNet/lemmy/security/advisories/G…
The full description of the bug is in the linked issue above, but the short version is:
Our CreatePrivateMessageReport
endpoint had a bug that would allow anyone, not just the recipient, to create a report, and then receive the details about private messages.
This allowed anyone to iterate over ids, creating thousands of reports in order to receive details about private messages.
Since those reports are visible to admins, it would be easy to discover if someone was abusing this, and luckily we haven't heard of anyone doing so on production instances (so far).
If you haven't, please be sure to upgrade to at least 0.19.1
for the fix.
Many thanks to @Nothing4You for finding this one.